Last week
, we looked at how cybercriminals ramp up their activity during the summer months. As pool parties and vacation plans start, so do escalating cybersecurity alerts from both CISA and the Canadian Centre for Cyber Security. With organizations running lean, summer staffing and employees’ attention focused on family time, cybercriminals continue their year-round operations targeting vulnerable systems.
This summer has proven particularly active for both agencies, with critical vulnerabilities emerging across multiple sectors and attack vectors. Here are the key alerts MSPs should be monitoring.
Citrix NetScaler crisis escalates
The Citrix NetScaler situation has dominated security alerts from both agencies this summer. CISA added multiple Citrix vulnerabilities to their Known Exploited Vulnerabilities (KEV) catalog, while the Canadian Centre issued coordinated warnings about the same threats.
Three critical vulnerabilities—CVE-2025-5349, CVE-2025-5777, and CVE-2025-6543—are actively exploited in what researchers have dubbed ‘Citrix Bleed 2.’ These flaws affect NetScaler ADC and Gateway systems, which are commonly configured as VPNs, proxies, or AAA virtual servers.
The severity of these exploits is jarring. Successful attacks enable session token theft and unauthorized access to internal applications, VPNs, and data center networks. Federal agencies received just weeks to implement patches, underscoring the urgency that CISA assigned to these vulnerabilities.
Industrial Control Systems under siege
MSPs in the industrial space will want to take special note of CISA releasing an unprecedented number of Industrial Control Systems (ICS) advisories this summer. On July 10 alone, thirteen ICS advisories were published, covering vulnerabilities in systems from major manufacturers including Siemens, Schneider Electric, and Mitsubishi Electric.
Notable ICS alerts include:
- Multiple Schneider Electric Wiser Home Automation vulnerabilities
- Siemens Tecnomatix Plant Simulation security issues
- FESTO automation and didactic product vulnerabilities
- Kaleris Navis Terminal Operating System flaws
This level of ICS advisory activity represents a significant escalation, suggesting threat actors are increasingly viewing industrial systems as attractive targets for both espionage and disruption.
Legacy vulnerabilities return
In a concerning trend, CISA added several older vulnerabilities to the KEV catalog after observing active exploitation. These include:
- CVE-2014-3931: Multi-Router Looking Glass buffer overflow (CVSS 9.8)
- CVE-2016-10033: PHPMailer command injection vulnerability
- CVE-2019-5418: Ruby on Rails path traversal vulnerability
- CVE-2019-9621: Zimbra Collaboration Suite SSRF vulnerability
This pattern demonstrates that attackers are systematically hunting for unpatched legacy systems, making comprehensive asset inventory and patch management critical for MSPs.
Canadian Centre summer activity
The Canadian Centre for Cyber Security maintained an active alert schedule throughout the summer, covering critical updates across multiple platforms, including:
- Microsoft Monthly Rollups: July advisories addressed critical vulnerabilities in Microsoft 365 Apps across multiple versions and platforms.
- Chrome Zero-Day Exploitation: Google Chrome advisory AV25-426 warned of CVE-2025-6558, with Google confirming active exploitation in the wild.
- Enterprise Platform Vulnerabilities: Advisories covered GitLab Community and Enterprise editions, ServiceNow platforms, Dell PowerFlex Manager, and Grafana Image Renderer.
As summer continues, cybercriminals remain active, targeting everything from Citrix NetScaler vulnerabilities to industrial control systems. MSPs must stay vigilant as older vulnerabilities are being exploited and new threats emerge across multiple sectors. This summer’s wave of critical vulnerabilities highlights the importance of ongoing patch management, asset inventory, and vulnerability scanning. For MSPs, staying proactive and up-to-date with security alerts is crucial to protect clients and maintain trust, especially when the risk of attack never takes a break.
Photo: Evannovostro / Shutterstock
This post originally appeared on Smarter MSP.